nerdexam
Splunk

SPLK-2002(205Q) · Question #161

SPLK-2002(205Q) Question #161: Real Exam Question with Answer & Explanation

The correct answer is A. Create signed SSL certificates and use them to encrypt data between the forwarders and indexers.. Splunk Enterprise documentation clearly states that the best method to secure log traffic between Universal Forwarders (UFs) and Indexers is to implement Transport Layer Security (TLS) using signed SSL certificates. When Universal Forwarders send data to Indexers, this communicat

Question

(A customer has a Splunk Enterprise deployment and wants to collect data from universal forwarders. What is the best step to secure log traffic?)

Options

  • ACreate signed SSL certificates and use them to encrypt data between the forwarders and indexers.
  • BUse the Splunk provided SSL certificates to encrypt data between the forwarders and indexers.
  • CEnsure all forwarder traffic is routed through a web application firewall (WAF).
  • DCreate signed SSL certificates and use them to encrypt data between the search heads and

Explanation

Splunk Enterprise documentation clearly states that the best method to secure log traffic between Universal Forwarders (UFs) and Indexers is to implement Transport Layer Security (TLS) using signed SSL certificates. When Universal Forwarders send data to Indexers, this communication can be encrypted using SSL/TLS to prevent eavesdropping, data tampering, or interception while in transit. Splunk provides default self-signed certificates out of the box, but these are only for testing or lab environments and should not be used in production. Production-grade security requires custom, signed SSL certificates - either from an internal Certificate Authority (CA) or a trusted public CA. These certificates validate both the sender (forwarder) and receiver (indexer), ensuring data integrity and authenticity. In practice, this involves: Generating or obtaining CA-signed certificates. Configuring the forwarder's outputs.conf to use SSL encryption (sslCertPath, sslPassword, and Configuring the indexer's inputs.conf and server.conf to require and validate client certificates. This configuration ensures end-to-end encryption for all log data transmitted from forwarders to Routing traffic through a WAF (Option C) does not provide end-to-end encryption for Splunk's internal communication, and securing search head-to-indexer communication (Option D) is unrelated to forwarder data flow. - Securing Splunk Enterprise: Encrypting Data in Transit Using SSL/TLS - Configure Forwarder-to-Indexer Encryption - Server and Forwarder Authentication with Signed Certificates - Best Practices for Forwarder Management and Security Configuration

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full SPLK-2002(205Q) Practice